//package com.zpz.framework.zpzoauth.config.xss;
//
//import java.io.BufferedReader;
//import java.io.IOException;
//
//import javax.servlet.Filter;
//import javax.servlet.FilterChain;
//import javax.servlet.FilterConfig;
//import javax.servlet.ServletException;
//import javax.servlet.ServletRequest;
//import javax.servlet.ServletResponse;
//import javax.servlet.http.HttpServletRequest;
//import org.apache.commons.lang3.StringUtils;
//import org.slf4j.Logger;
//import org.slf4j.LoggerFactory;
//import org.springframework.beans.factory.annotation.Value;
//import org.springframework.context.annotation.Configuration;
//import org.springframework.core.annotation.Order;
//
//@Configuration
//@Order(2)
//public class XssAndSqlFilter implements Filter {
//    private static final Logger logger = LoggerFactory.getLogger(XssAndSqlFilter.class);
//    @Override
//    public void destroy() {
//    }
//    @Value("${zpzOauth.antiattack.xssandsqlenable}")
//    private Boolean xssandsqlenable;
//    @Override
//    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
//        logger.info("=================xss-rule-XSS and SQL 过滤*****："+xssandsqlenable);
//        if (xssandsqlenable){
//            String method = "GET";
//            String param = "";
//            XssAndSqlHttpServletRequestWrapper xssRequest = null;
//            if (request instanceof HttpServletRequest) {
//                method = ((HttpServletRequest) request).getMethod();
//                xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request);
//                chain.doFilter(xssRequest, response);
//                return;
//            }
//            if ("POST".equalsIgnoreCase(method)) {
//                param = this.getBodyString(xssRequest.getReader());
//                if(StringUtils.isNotBlank(param)){
//                    if(xssRequest.checkXSSAndSql(param)){
//                        request.setAttribute("error", "您所访问的页面请求中有违反安全规则元素存在，拒绝访问!");
//                        request.getRequestDispatcher("/error/exthrow").forward(xssRequest, response);
//                        return;
//                    }
//                }
//            }
//            if (xssRequest.checkParameter()) {
//                request.setAttribute("error", "您所访问的页面请求中有违反安全规则元素存在，拒绝访问!");
//                request.getRequestDispatcher("/error/exthrow").forward(xssRequest, response);
//                return;
//            }
//        }
//        chain.doFilter(request, response);
//    }
//
//    @Override
//    public void init(FilterConfig arg0) throws ServletException {
//        // TODO Auto-generated method stub
//
//    }
//    // 获取request请求body中参数
//    public static String getBodyString(BufferedReader br) {
//        String inputLine;
//        String str = "";
//        try {
//            while ((inputLine = br.readLine()) != null) {
//                str += inputLine;
//            }
//            br.close();
//        } catch (IOException e) {
//            System.out.println("IOException: " + e);
//        }
//        return str;
//
//    }
//}
//    @Bean
//    public FilterRegistrationBean xssFilterRegistrationBean() {
//        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
//        filterRegistrationBean.setFilter(new XssAndSqlFilter());
//        filterRegistrationBean.setOrder(1);
//        filterRegistrationBean.setEnabled(true);
//        filterRegistrationBean.addUrlPatterns("/*");
//        Map<String, String> initParameters = Maps.newHashMap();
////        -excludes用于配置不需要参数过滤的请求url。
////        -isIncludeRichText默认为true，主要用于设置富文本内容是否需要过滤。
//        initParameters.put("excludes", StringUtils.join(xssandsqlIgnoreUrl.getXssUrls(),","));
//        initParameters.put("isIncludeRichText", "true");
//        filterRegistrationBean.setInitParameters(initParameters);
//        filterRegistrationBean.setOrder(2000);
//        return filterRegistrationBean;
//    }
